b'               OFFICE OF\n               INSPECTOR\n               GENERAL\n               UNITED STATES POSTAL SERVICE\n\n\n\n\n           Global Express Guaranteed\n\n                       Audit Report\n\n\n\n\n                                         September 27, 2011\n\nReport Number FF-AR-11-016\n\x0c                                                                  September 27, 2011\n\n                                                        Global Express Guaranteed\n\n                                                       Report Number FF-AR-11-016\n\n\n\n\nIMPACT ON:\nInternational mail internal control\nprocedures and customers who use the       WHAT THE OIG RECOMMENDED:\nglobal express product.                    We recommended management\n                                           validate GXG billings and conduct a\nWHY THE OIG DID THE AUDIT:                 re-certification and accreditation of the\nOur objective was to determine whether     GXG database.\ncontrol procedures over acceptance,\nprocessing, tendering, delivering, and     WHAT MANAGEMENT SAID:\noversight of Global Express                Management agreed with both\nGuaranteed\xc2\xae (GXG) mailings are in          recommendations and the recertification\nplace and operating effectively. This      and accreditation of the GXG database\naudit was self-initiated to identify GXG   finding. Management disagreed with the\nfinancial and operational risks.           basis for our audit and the finding\n                                           related to GXG validation and scanning\nWHAT THE OIG FOUND:                        procedures.\nThe U.S. Postal Service generally had\neffective control procedures over          AUDITORS\xe2\x80\x99 COMMENTS:\nprocessing, tendering, and delivering      Regarding management\xe2\x80\x99s disagreement\nGXG mailings. However, control             with the basis of our audit, we informed\nprocedures over acceptance and             them of the audit objectives in our audit\noversight of GXG billings needed           fieldwork announcement letter. Further,\nimprovement. Specifically, GXG             during the audit, GXG management\nprogram management did not properly        implemented new procedures to\nvalidate FedEx\xc2\xae Corporation billings.      address their specific concerns\nConsequently, the Postal Service paid      discussed at the onset of the audit.\nFedEx about $314,000 without               Regarding management\xe2\x80\x99s disagreement\nadequate support. In addition,             with the GXG validation and scanning\nmanagement did not timely re-certify       procedures finding and monetary\nand accredit the GXG database. As a        impact, the GXG Alliance Agreement\nresult, management cannot ensure the       states that the Postal Service will\nGXG database is adequately protected       request that FedEx provide supporting\nto prevent security threats and            documentation for the amount billed.\nvulnerabilities that could negatively      GXG management did not request the\naffect the Postal Service brand.           documentation.\n\n                                           Link to review the entire report\n\x0cSeptember 27, 2011\n\nMEMORANDUM FOR:            GISELLE E. VALERA\n                           VICE PRESIDENT, GLOBAL BUSINESS\n\n                           CHUCK L. McGANN\n                           MANAGER, CORPORATE INFORMATION SECURITY\n\n\n\n\nFROM:                      John E. Cihota\n                           Deputy Assistant Inspector General\n                            for Financial Accountability\n\nSUBJECT:                   Audit Report \xe2\x80\x93 Global Express Guaranteed\n                           (Report Number FF-AR-11-016)\n\nThis report presents the results of our audit of Global Express Guaranteed\xc2\xae\n(Project Number 11BD002FF000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Kevin H. Ellenberger, director,\nField Financial - East or me at 703-248-2100.\n\nAttachments\n\ncc: Joseph Corbett\n    Paul E. Vogel\n    Ellis A. Burgoyne\n    Franca S. Davis\n    Elizabeth A. Richardson\n    Corporate Audit and Response Management\n\x0c                                                 TABLE OF CONTENTS\n\n\n\n\nIntroduction .......................................................................................................................... 1\n\nConclusion ........................................................................................................................... 1\n\nGXG Validation and Scanning Procedures ........................................................................ 1\n\nRe-Certification and Accreditation of the GXG Database .................................................. 2\n\nRecommendations .............................................................................................................. 3\n\nManagement\xe2\x80\x99s Comments .................................................................................................. 3\n\nEvaluation of Management\xe2\x80\x99s Comments ............................................................................ 4\n\nAppendix A: Additional Information..................................................................................... 6\n\n    Background ..................................................................................................................... 6\n\n    Objective, Scope, and Methodology ............................................................................... 6\n\n    Prior Audit Coverage ....................................................................................................... 7\n\nAppendix B: Monetary Impact ............................................................................................. 8\n\nAppendix C: Management\xe2\x80\x99s Comments ............................................................................. 9\n\x0cGlobal Express Guaranteed                                                                             FF-AR-11-016\n\n\n\nIntroduction\n\nThis report presents the results of our audit of Global Express Guaranteed\xc2\xae (GXG) mail\nprocedures (Project Number 11BD002FF000). This audit addresses financial and\noperational risks. Our objective was to determine whether control procedures over\nacceptance, processing, tendering, delivering, and oversight of GXG mailings are in\nplace and operating effectively. This audit was self-initiated to identify GXG financial\nand operational risks. See Appendix A for additional information about this audit.\n\nGXG is the U.S. Postal Service\xe2\x80\x99s premium international shipping option for\ndocuments and merchandise. This service offers mailers guaranteed date-certain\ndelivery (1-3 days) to destinations in 190 countries. The Postal Service began using the\nFedEx\xc2\xae Corporation to transport GXG mailings on July 1, 2004. On June 15, 2009, the\nPostal Service renewed the GXG Alliance Agreement 1 through June 30, 2014. In fiscal\nyear (FY) 2010, the Postal Service\xe2\x80\x99s GXG revenue and volume was approximately\n              and 244,668 pieces, respectively.\n\nConclusion\n\nThe Postal Service generally had effective control procedures over processing,\ntendering, and delivering GXG mailings. However, control procedures over acceptance\nand oversight of GXG billings needed improvement. Specifically, GXG program\nmanagement did not properly validate FedEx billings for GXG deliveries. Consequently,\nthe Postal Service paid FedEx about             for delivering GXG mail without\nadequate support. In addition, management did not timely re-certify and accredit the\nGXG database. As a result, management cannot ensure the GXG database is\nadequately protected to prevent security threats and vulnerabilities that could negatively\naffect the Postal Service brand.\n\nGXG Validation and Scanning Procedures\n\nGXG program management personnel did not properly validate FedEx billings for GXG\ndeliveries. Specifically, we found 3,621 of 244,668 GXG mailings in FY 2010 2\n                              where management did not obtain evidence that these\nrepresented valid billings. For these mailings, Postal Service systems did not contain\nevidence that personnel completed any of the scans required as the mailing moved\nthrough the Postal Service network. 3 Alternatively, management did not obtain other\nvalid alternative supporting documentation because they did not believe they needed to\ndo so.\n\n1\n  The Alliance Agreement for Global Expressed Guaranteed is a written document outlining the terms and conditions\nagreed upon between the Postal Service and the FedEx.\n2\n  Upon receipt of the electronic invoice from FedEx, the Postal Service will verify service. The Postal Service will\nvalidate the FedEx bill by matching the item number scans, based on the Postal Service tracking number, against the\ncomparable data element in FedEx acceptance scans.\n3\n  Retail and processing employees must maintain a total of three scans per mailing for acceptance, processing, and\ntendering to FedEx. These mailings did not have any of the required scans.\n                                                           1\n\x0cGlobal Express Guaranteed                                                                            FF-AR-11-016\n\n\n\n\nAccording to the Alliance Agreement with FedEx, the Postal Service should request a\ncopy of the air waybill 4 image when GXG mailings submitted for payment do not match\nPostal Service records. Management stated they did not request copies of the air\nwaybill images because they believed the FedEx tracking system provided sufficient\nproof of acceptance. However, using the FedEx tracking system as proof of acceptance\ndoes not provide independent validation of GXG mailings from customers. When\nprogram management does not comply with agreed upon validation procedures\ncontained in the Alliance Agreement, there is an increased risk of paying FedEx for\nmailings that do not originate with the Postal Service.\n\nFurther, as a result of this issue, we expanded our review to determine the number of\nGXG mailings where Postal Service retail and network processing units missed one or\nmore of the required scans. We found                      GXG mailings (28 percent)\nwith postage and insurance totaling              were affected. 5 We discussed our\nobservations with GXG management who subsequently took corrective action by\nincluding detailed steps for scanning GXG mailings in the GXG standard operating\nprocedures. Therefore, we are not making a recommendation regarding this situation.\n\nRe-Certification and Accreditation of the GXG Database\n\nPostal Service management did not ensure timely re-certification and accreditation\n(C&A) of the GXG database. 6 The Postal Service completed its last C&A of the GXG\ndatabase in FY 2001. 7 In November 2008, management completed a business impact\nassessment (BIA). 8 At that time, the GXG database was designated a non-critical,\nnon-sensitive system. However, even though management re-classified the database,\nthey were still required to complete the C&A of the GXG database (at least every\n5 years). The C&A ensures that existing security controls and processes are still in\nplace and functioning correctly. The executive sponsors, as representatives of the vice\npresidents of the functional business areas, are responsible for ensuring completion of\nall security-related tasks, which includes re-certifying and accrediting the GXG\ndatabase. 9\n\nManagement believed the database, with its change in status, was immaterial and,\ntherefore, did not need C&A. As a result, without a C&A, the Postal Service cannot\nensure the GXG database is adequately protecting information resources from security\nthreats and vulnerabilities that could negatively affect the Postal Service brand.\n\n\n4\n  A shipping label used on GXG mailing envelopes.\n5\n  Revenue includes postage and insurance totaling                                              ).\n6\n  Certification establishes the extent to which information resources meet specified security requirements.\nAccreditation is management\xe2\x80\x99s analysis and approval of security controls as they relate to specified security\nrequirements and acceptable risk levels.\n7\n  GXG Security Certification Report, dated January 8, 2001.\n8\n  The BIA is completed during phase two of the C&A process and is a process for determining the sensitivity and\ncriticality levels of Postal Service information resources.\n9\n  Handbook AS 805a, Information Resource Certification and Accreditation Process, Section 2-6, and Chapter 3,\nOctober 2009.\n\n\n                                                         2\n\x0cGlobal Express Guaranteed                                                     FF-AR-11-016\n\n\n\n\nRecommendations\n\nWe recommend the vice president, Global Business:\n\n1. Direct the executive director, Global Business, to validate Global Express\n   Guaranteed (GXG) billings by requesting and maintaining the air waybill image from\n   the FedEx Corporation when GXG mailings submitted for payment do not match\n   Postal Service records.\n\nWe recommend the vice president, Global Business, in coordination with the manager,\nCorporate Information Security:\n\n2. Conduct a re-certification and accreditation of the GXG database in accordance with\n   Postal Service policy.\n\nManagement\xe2\x80\x99s Comments\n\nAlthough management agreed with our finding associated with recertification and\naccreditation of the GXG database and with both recommendations, they disagreed with\nthe basis for our audit and the specific presentation of the finding related to GXG\nvalidation and scanning procedures.\n\nSpecifically, management disagreed with our audit objective and that this was a\nself-initiated audit. Management stated that the audit was actually initiated by Postal\nService GXG Alliance Management/Corporate Finance to identify the percentage and\nroot cause of items being reshipped after their return for improper customs\ndocumentation.\n\nFurther, management noted the finding was not that they did not properly validate\nFedEx billings but rather that they did not always adhere to the Alliance Agreement\nguidelines in reference to exception processing. They noted that payment is to be made\neven if the postal scans are missing and the non-matched records would then be\nsubject to the outlined exception processing.\n\nManagement further stated that 89 percent of GXG mailings missing Postal Service\nscans were Click-N-Ship which validates these mailings as originating with the Postal\nService. Management added that the remaining 11 percent of shipments (representing\n$34,450) did have the potential for overpayment and were, therefore, at risk.\n\nFinally, management disagreed there was an increased risk of overpayment to FedEx\nfor mailings that did not originate with the Postal Service because GXG mailings can\nonly originate from the Postal Service. GXG is not available in FedEx retail locations\nand only the Postal Service can provide GXG to the FedEx induction site.\n\n\n\n\n                                            3\n\x0cGlobal Express Guaranteed                                                     FF-AR-11-016\n\n\n\nRegarding recommendation 1, management agreed to adhere, effective immediately, to\nthe exception process as stipulated within the Alliance Agreement by requesting and\nmaintaining supporting documentation for all shipments devoid of Postal Service\nacceptance validation. The target implementation date was September 8, 2011.\n\nRegarding recommendation 2, management agreed to request Information Technology\nto perform timely recertification and accreditation of the GXG database. The target\nimplementation date is September 30, 2011.\n\nSee Appendix C for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations and management\xe2\x80\x99s corrective actions\nplanned and taken should resolve the issues identified in the report.\n\nManagement asserted that the audit was initiated by Postal Service Global Express\nGuaranteed (GXG) Alliance Management and Corporate Finance. During our annual\naudit planning, we met with management to determine whether there were any areas\nthey believed would benefit from an OIG review. At that time, management requested\nassistance from OIG to identify the percentage and root cause of items being reshipped\nafter their return for improper customs documentation. This request was designed to\nassist the Postal Service in reducing the number of refused mailings by FedEx. We\nagreed to incorporate this requested audit into our fiscal year 2011 audit plan. However,\nprior to our starting the fieldwork, GXG management proactively requested and received\nadditional data from FedEx, which included information on the status of refused\nmailings. We decided not to address the requested objective because management\ninformed us this additional data resolved the questions they initially raised to the OIG.\nAs a result, we modified our audit objective to determine whether control procedures\nover acceptance, processing, tendering, delivering, and oversight of GXG mailings were\nin place and operating effectively. We communicated this revised objective to\nmanagement in our fieldwork announcement letter and during the formal entrance\nconference.\n\nRegarding management\xe2\x80\x99s disagreement with the GXG validation and scanning\nprocedures finding and monetary impact, the GXG Alliance Agreement states the Postal\nService will pay the amount billed by FedEx in the event of missing Postal Service\nscans. However, the agreement also states that the Postal Service will note an\nexception and request FedEx to provide supporting documentation. The Postal Service\nthen uses that documentation to validate the FedEx billing. GXG management did not\nrequest the documentation for mailings associated with the $314,000; therefore, the\nOIG believes the entire amount represents payments that were not properly supported.\n\nThe OIG agrees that valid GXG mailings cannot originate outside of the Postal Service.\nHowever, Postal Service Click-N-Ship data does not provide adequate support when\n\n\n\n                                            4\n\x0cGlobal Express Guaranteed                                              FF-AR-11-016\n\n\n\nPostal Service employees have not completed all required scans. According to the\nAlliance Agreement, the Postal Service should request a copy of supporting\ndocumentation when GXG mailings submitted for payment do not match Postal Service\nrecords.\n\n\n\n\n                                        5\n\x0cGlobal Express Guaranteed                                                                         FF-AR-11-016\n\n\n\n                               Appendix A: Additional Information\n\nBackground\n\nThe Postal Service has an alliance with FedEx to transport and deliver all GXG mailings\ntendered by the Postal Service. Monthly, FedEx generates and electronically transmits\nair freight detail invoices to the Postal Service. The Postal Service acknowledges\nreceipt of electronic invoices and verifies services rendered. The verification process\ninvolves removing duplicate air waybills, claims for lost or damaged mailings, and\nclaims for money-back guarantees. The verification process also assesses penalties to\nFedEx, if applicable, and determines their share of revenue.\n\nThe Alliance Management Committee, which consists of six members \xe2\x80\x94 three from the\nPostal Service and three from FedEx \xe2\x80\x94 resolves invoice disputes. Upon completion of\nthe verification process, the Postal Service submits invoices to the St. Louis, MO\nAccounting Service Center for payment through electronic fund transfers.\n\n\n\n\nPostal Service policy requires management to certify all information resources,\nregardless of where they are located or whether or not they are controlled directly by the\nPostal Service. 10 Management should make sure to complete C&A of non-sensitive and\nnon-critical information resources every 5 years. 11 The purpose for re-initiating the C&A\nprocess is so management can ensure that existing security controls and processes for\nthe infrastructure component are still in place and functioning correctly and that they\naddress changes to the infrastructure component.\n\nObjective, Scope, and Methodology\n\nOur objective was to determine whether control procedures over acceptance,\nprocessing, tendering, delivering, and oversight of GXG mailings were in place and\noperating effectively.\n\nTo accomplish our objective, we audited the Postal Service\xe2\x80\x99s FY 2010 GXG operations\nat Postal Service Headquarters and at the following locations:\n\n\xef\x82\xa7    Lehigh Valley and Pittsburgh, PA\n\xef\x82\xa7    Huntington and Santa Ana, CA\n\xef\x82\xa7    Baltimore, MD\n\xef\x82\xa7    East Boston, MA\n\n10\n   Handbook AS-805, Information Security, Sections 8-4.2 and 8-4.3, May 2011 and March 2002, updated with Postal\nBulletin revisions through October 30, 2003.\n11\n   Handbook AS-805, Section 8-5.7.9.\n\n\n                                                       6\n\x0cGlobal Express Guaranteed                                                                          FF-AR-11-016\n\n\n\n\nWe judgmentally selected these sites based on the volume of reported mailings refused\nby FedEx, the objective which was initially requested by GXG management, and the\nproximity to OIG field offices. We compared Postal Service reports to the FedEx\ntracking system and could not substantiate the concerns. Therefore, we focused our\naudit efforts on management oversight and scanning procedures. We reviewed the\nGXG Alliance Agreement 12 between the Postal Service and FedEx. In addition, we used\nPostal Service manuals, policies, and procedures as criteria to evaluate controls over\nGXG operations. Also, we conducted interviews and onsite visits with FedEx and Postal\nService International and Domestic Express Mail\xc2\xae employees to identify value-added\nmailing practices and assess the effectiveness of the FedEx manifest invoicing system.\nWe interviewed and met with headquarters officials, managers, and employees at Post\nOffices and processing and distribution centers (P&DCs). W e also observed GXG\nmailing operations at the Dulles P&DC and FedEx Air, Ground, & Freight Service Ramp\nOperations in Dulles, VA.\n\nWe conducted this performance audit from October 2010 through September 2011 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls, as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective. We discussed our\nobservations and conclusions with management on July 28, 2011, and included their\ncomments where appropriate.\n\nWe assessed the reliability of the GXG database by sampling, at random, 60 GXG\nmailing transactions. For FY 2010, we compared the tracking table to the Postal\nService\xe2\x80\x99s Product Tracking System to validate acceptance and processing. We\ndetermined that the data was sufficiently reliable for the purposes of this report.\n\nPrior Audit Coverage\n\nThe OIG did not identify any prior audits or reviews related to the objectives of this\naudit.\n\n\n\n\n12\n  The Postal Service began using FedEx to transport GXG mailings on July 1, 2004. On June 15, 2009, the Postal\nService renewed the Alliance Agreement for GXG through June 30, 2014.\n\n\n                                                       7\n\x0cGlobal Express Guaranteed                                                                             FF-AR-11-016\n\n\n\n\n                                     Appendix B: Monetary Impact\n\n\n                Finding                           Impact Category                          Amount\n            GXG Validation\n            and Scanning              Unsupported Questioned Cost 13\n            Procedures\n\n\n\n\n13\n  A weaker claim and a subset of questioned costs. Claimed because of failure to follow policy or required\nprocedures but does not necessarily connote any real damage to Postal Service.\n\n\n                                                          8\n\x0cGlobal Express Guaranteed                                       FF-AR-11-016\n\n\n\n                            Appendix C: Management\xe2\x80\x99s Comments\n\n\n\n\n                                            9\n\x0cGlobal Express Guaranteed        FF-AR-11-016\n\n\n\n\n                            10\n\x0cGlobal Express Guaranteed        FF-AR-11-016\n\n\n\n\n                            11\n\x0c'